Lesson 4: Tips for Firewall Rule Recertification

Prof Wool: Firewall Management 201 | Lesson 4: Tips for Firewall Rule Recertification Subscribe

Firewall Management 201: Lesson 4
In this lesson, Professor Wool examines some tips for including firewall rule recertification as part of your change management process, including questions you should be asking and be able to answer as well as guidance on how to effectively recertify firewall rules.

Learn more about AlgoSec at http://www.algosec.com and read Professor Wool's blog posts at http://blog.algosec.com

View transcript

hello and welcome to final management 201 I am professor role and today we're going to be talking about firewall rule recertification so what are we talking about here well you have in your firewall you have rules that allow traffic from one place to another using some protocols and ports and you want to ask yourself occasionally is that traffic still necessary does that rule still necessary well why wouldn't it be well there could be many things that cause a rule to become unnecessary perhaps the application has been decommissioned and it's no longer necessary perhaps one of the endpoints was migrated to a different datacenter and changed the excit address so you need a different rule perhaps there is the application has been upgraded and now uses different services and different ports so you have new rules then you can get rid of the old ones for all of these reasons you occasionally need to check your rule base and answer this big question is this rule still necessary and to do that security conscious organizations Institute a rule recertification policy which means that periodically every rule has to be reviewed and checked whether it's still necessary or not and this could be done every year every other year depending on how many resources you have to spend on this issue now having a policy that requires you to recertify all the rules periodically does not mean it's easy you need to be able to answer questions like what is the rule there for and who asked for it who is the business owner for that application and then serve and be able to answer such questions you need documentation that is key you need to have all your rules documented so that you can have a trail of breadcrumbs that will lead you to discover what the rules or who owns it when it comes time to recertify it and how do you document all these rules well first of all you need to do it when the rule is created when it's time to recertify it it's a little late you want to have the rules documented when they're created in the first time and when you're doing that when you're creating the rule good idea is to use the common fields pretty much every firewall vendor allows you to attach comments to rules and you should you should become in the habit of adding information to the rule comments specifying what that rule is for and who asked for it and then we need to recertify you have information available for you to start the recertification process and you can discover whether the rule is still necessary in who owns it now some vendors don't provide very convenient documentation and commenting mechanisms so luckily there are third-party tools out there that you can use to centrally manage and document your firewall rules across multiple vendors and use those systems to have more comments maybe they're not restricted in terms of length you can have long documentation attached documents etc use those types of systems to supply the information that you will need later need when you were certified furthermore you need to have a process that supports and enhances your ability to document so if you have a good solid workflow system that lets you document the requirements and specify what the request is for what the change is for what the application is doing who's in charge of it and all of that is kept documented in a database that eventually is connected to the rules then you have a very good place to look when you need to recertify and you can discover that you can eliminate things now unfortunately not all of us live in a perfect world and we have to live with systems that were created long before we joined the team and systems involved so how do we discover if an old rule that is not properly documented is still necessary so here are a few practical tips that can help a key piece of information is the rule usage when was that rule last used how often is it used is it maybe completely unused so again there are systems out there they can extract this usage information from the firewall it counters or from the firewall logs and can give you a report on which rules are inactive which rules have been used a long time ago these are obvious candidates for removal another trick that you could use is to use time clauses so most vendors allow you to attach a time clause to a rule so you can specify that the rule is only active until December 31st of next year and after that it stops working once rules stop working and nobody's complaining then that's obviously a good trigger to eliminate them permanently now one word of caution if you have one rule you could have that one rule support many applications perhaps John asked for a rule last year and then six months later Jane asked for a rule that would support her application and technically those two requests were merged into one rule so now when you decide that John's rule is no longer necessary it doesn't mean if you can eliminate the firewall rule you need to check and discover all the applications that rely on that one rule and find and get the approval from all the business owners that that rule can be eliminated so you need to be a little bit careful and there are applications out there that assist you in discovering these relationships between applications animals that's what we have today about rural recertification thank you for your attention

Videos

Prof Wool: Firewall Management 201 | Lesson 4: Tips for Firewall Rule Recertification Subscribe

Related videos

Lesson 15: How to Synchronize Object Management with a CMDB

Lesson 16: How to Take Control of a Firewall Migration...

Lesson 14: Synchronized Object Management in a...

Sharing Network Security Information with the Wider IT...